Enforce policy before resource.validate
We make client calls in resource.validate for number of resource plugins to check constraints or custom validations. However, we're enforcing resource policies after validate that results in unnecessary client calls and 'unauthorized' errors from the service. Change-Id: I37c22027115beded4ea9585729a97882c961fad0 Closes-Bug: #1627706
This commit is contained in:
parent
bc6fa5dedf
commit
ada0a1a970
|
@ -697,6 +697,7 @@ class EngineService(service.Service):
|
|||
parent_resource=parent_resource_name,
|
||||
**common_params)
|
||||
|
||||
self.resource_enforcer.enforce_stack(stack)
|
||||
self._validate_deferred_auth_context(cnxt, stack)
|
||||
stack.validate()
|
||||
# For the root stack print a summary of the TemplateResources loaded
|
||||
|
@ -735,7 +736,6 @@ class EngineService(service.Service):
|
|||
args,
|
||||
convergence=conv_eng)
|
||||
|
||||
self.resource_enforcer.enforce_stack(stack)
|
||||
return api.format_stack_preview(stack)
|
||||
|
||||
@context.request_context
|
||||
|
@ -801,7 +801,6 @@ class EngineService(service.Service):
|
|||
stack_user_project_id, convergence, parent_resource_name,
|
||||
template_id)
|
||||
|
||||
self.resource_enforcer.enforce_stack(stack)
|
||||
stack_id = stack.store()
|
||||
if cfg.CONF.reauthentication_auth_method == 'trusts':
|
||||
stack = parser.Stack.load(
|
||||
|
|
|
@ -24,6 +24,7 @@ from heat.common import context
|
|||
from heat.common import environment_util as env_util
|
||||
from heat.common import exception
|
||||
from heat.common import identifier
|
||||
from heat.common import policy
|
||||
from heat.common import template_format
|
||||
from heat.engine.cfn import template as cfntemplate
|
||||
from heat.engine import environment
|
||||
|
@ -1165,6 +1166,7 @@ class StackServiceTest(common.HeatTestCase):
|
|||
@mock.patch.object(service.api, 'format_stack_preview', new=mock.Mock())
|
||||
@mock.patch.object(service.parser, 'Stack')
|
||||
def test_preview_stack_checks_stack_validity(self, mock_parser):
|
||||
self.patchobject(policy.ResourceEnforcer, 'enforce_stack')
|
||||
exc = exception.StackValidationFailed(message='Validation Failed')
|
||||
mock_parsed_stack = mock.Mock()
|
||||
mock_parsed_stack.validate.side_effect = exc
|
||||
|
|
Loading…
Reference in New Issue